Vigil@nce: Apache Tomcat, information disclosure via mod_proxy_ajp
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
In some cases, the mod_proxy_ajp module can send to the client
data belonging to another user.
Severity: 2/4
Consequences: data reading
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
* Creation date: 23/04/2009
IMPACTED PRODUCTS
– Apache httpd
DESCRIPTION OF THE VULNERABILITY
The mod_proxy_ajp module is the interface between the Apache httpd
server and the Apache Tomcat server.
An AJP (Apache JServ Protocol) request is composed of:
– an header
– a body ("POST")
However, if the client closes the session before sending the body,
the mod_proxy_ajp module of Apache httpd 2.2.11 desynchronizes.
Data belonging to another user can thus be returned to the client.
This vulnerability is different from VIGILANCE-VUL-8609
(https://vigilance.fr/tree/1/8609).
In some cases, the mod_proxy_ajp module can therefore send to the
client data belonging to another user.
CHARACTERISTICS
Identifiers: 46949, BID-34663, CVE-2009-1191, VIGILANCE-VUL-8669
http://vigilance.fr/vulnerability/Apache-Tomcat-information-disclosure-via-mod-proxy-ajp-8669